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Introduction 


The Information Commissioner is seeking feedback on her draft code of 
practice Age appropriate design - a code of practice for online services 
likely to be accessed by children (the code). 


The code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. 


The code is now out for public consultation and will remain open until 31 
May 2019. The Information Commissioner welcomes feedback on the 
specific questions set out below. 


Please send us your comments by 31 May 2019. 


Download this document and email to: 


ageappropriatedesign@ico.org.uk 


Print off this document and post to: 
Age Appropriate Design code consultation 
Policy Engagement Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation please 
telephone 0303 123 1113 and ask to speak to the Policy 
Engagement Department about the Age Appropriate Design code or 


email_ageappropriatedesign@ico.org.uk 


Privacy statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public or a parent). All responses from 
organisations and individuals responding in a professional capacity (e.g. 
academics, child development experts, sole traders, child minders, 
education professionals) will be published. We will remove email 
addresses and telephone numbers from these responses but apart from 
this, we will publish them in full. 


For more information about what we do with personal data, please see 
Our privacy notice. 


Section 1: Your views 


Q1. Is the ‘About this code’ section of the code clearly communicated? 


No 
If NO, then please provide your reasons for this view. 


The "At a glance" box states that the Code "provides practical guidance 
about how to ensure your online services appropriately safeguard 
children's personal data" and links it to compliance with the GDPR and 
PECR. However the body of the section goes much further, for example 
it states that the purpose of the Code is to give guidance on how to use 
data protection standards to "ensure [online services] are appropriate 
for use by, and meet the development needs of, children" which is a 
much more onerous requirement than safeguarding children's personal 
data. Given that it is provided that the Commissioner will measure 
compliance with data protection laws by reference to the standards, the 
extension of the concept of data protection to include the substance and 
suitablity of services should be clarified. 


Q2. Is the ‘Services covered by this code’ section of the code clearly 
communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Standards of age-appropriate design 


Please provide your views on the sections of the code covering each of 
the 16 draft standards 


1. Best interests of the child: The best interests of the child should be 
a primary consideration when you design and develop online services 
likely to be accessed by a child. 


2. Age-appropriate application: Consider the age range of your 
audience and the needs of children of different ages. Apply the standards 
in this code to all users, unless you have robust age-verification 
mechanisms to distinguish adults from children. 


3. Transparency: The privacy information you provide to users, and 
other published terms, policies and community standards, must be 
concise, prominent and in clear language suited to the age of the child. 
Provide additional specific ‘bite-sized’ explanations about how you use 
personal data at the point that use is activated. 


4. Detrimental use of data: Do not use children’s personal data in ways 
that have been shown to be detrimental to their wellbeing, or that go 
against industry codes of practice, other regulatory provisions or 
Government advice. 


5. Policies and community standards: Uphold your own published 
terms, policies and community standards (including but not limited to 
privacy policies, age restriction, behaviour rules and content policies). 


6. Default settings: Settings must be ‘high privacy’ by default (unless 
you can demonstrate a compelling reason for a different default setting, 
taking account of the best interests of the child). 


7. Data minimisation: Collect and retain only the minimum amount of 
personal data necessary to provide the elements of your service in which 


a child is actively and knowingly engaged. Give children separate choices 
over which elements they wish to activate. 


8. Data sharing: Do not disclose children’s data unless you can 
demonstrate a compelling reason to do so, taking account of the best 
interests of the child. 


9. Geolocation: Switch geolocation options off by default (unless you can 
demonstrate a compelling reason for geolocation, taking account of the 
best interests of the child), and provide an obvious sign for children when 
location tracking is active. Options which make a child’s location visible to 
others must default back to off at the end of each session. 


10. Parental controls: If you provide parental controls give the child 
age appropriate information about this. If your online service allows a 
parent or carer to monitor their child’s online activity or track their 
location, provide an obvious sign to the child when they are being 
monitored. 


11. Profiling: Switch options based on profiling off by default (unless you 
can demonstrate a compelling reason for profiling, taking account of the 
best interests of the child). Only allow profiling if you have appropriate 
measures in place to protect the child from any harmful effects (in 
particular, being fed content that is detrimental to their health or 
wellbeing). 


12. Nudge techniques: Do not use nudge techniques to lead or 
encourage children to provide unnecessary personal data, weaken or turn 
off privacy protections, or extend use. 


13. Connected toys and devices: If you provide a connected toy or 
device ensure you include effective tools to enable compliance with this 
code 


14. Online tools: Provide prominent and accessible tools to help children 
exercise their data protection rights and report concerns. 


15. Data protection impact assessments: Undertake a DPIA 
specifically to assess and mitigate risks to children who are likely to 
access your service, taking into account differing ages, capacities and 
development needs. Ensure that your DPIA builds in compliance with this 
code. 


16. Governance and accountability: Ensure you have policies and 
procedures in place which demonstrate how you comply with data 
protection obligations, including data protection training for all staff 
involved in the design and development of online services likely to be 
accessed by children. Ensure that your policies, procedures and terms of 
service demonstrate compliance with the provisions of this code 


Q3. Have we communicated our expectations for this standard clearly? 
1. Best interests of the child 


YES/NO. 


If NO, then please provide your reasons for this view. 


2. Age-appropriate application 
YES/NO. 


If NO, then please provide your reasons for this view. 
3. Transparency 
YES/NO 


If NO, then please provide your reasons for this view. 
4. Detrimental use of data 


YES/NO. 
If NO, then please provide your reasons for this view. 


5. Policies and community standards 
YES/NO. 


If NO, then please provide your reasons for this view. 
6. Default settings 
YES/NO. 


If NO, then please provide your reasons for this view. 
7. Data minimisation 
YES/NO. 


If NO, then please provide your reasons for this view. 
8. Data sharing 


YES/NO. 


If NO, then please provide your reasons for this view. 
9. Geolocation 
YES/NO. 


If NO, then please provide your reasons for this view. 
10. Parental controls 
YES/NO. 


If NO, then please provide your reasons for this view. 


11. Profiling 
YES/NO. 


If NO, then please provide your reasons for this view. 


12. Nudge techniques 
YES/NO. 


If NO, then please provide your reasons for this view. 
13. Connected toys and devices 
YES/NO. 


If NO, then please provide your reasons for this view. 
14. Online tools 
YES/NO. 


If NO, then please provide your reasons for this view. 
15. Data protection impact assessments 
YES/NO. 


If NO, then please provide your reasons for this view. 
16. Governance and accountability 


YES/NO: 


If NO, then please provide your reasons for this view. 


Q4. Do you have any examples that you think could be used to illustrate 
the approach we are advocating for this standard? 


1. Best interests of the child 


YES/NO. 


If YES, then please provide details. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide details. 
3. Transparency 
YES/NO. 


If YES, then please provide details. 


4. Detrimental use of data 


YES/NO. 


If YES, then please provide details. 


5. Policies and community standards 
YES/NO. 


If YES, then please provide details. 
6. Default settings: 
YES/NO. 


If YES, then please provide details. 
7. Data minimisation 
YES/NO. 


If YES, then please provide details. 
8. Data sharing 
YES/NO. 


If YES, then please provide details. 
9. Geolocation 
YES/NO. 


If YES, then please provide details. 
10. Parental controls 
YES/NO. 


If YES, then please provide details. 
11. Profiling 
YES/NO. 


If YES, then please provide details. 
12. Nudge techniques 


YES/NO. 


If YES, then please provide details. 


13. Connected toys and devices 
YES/NO. 


If YES, then please provide details. 
14. Online tools 
YES/NO. 


If YES, then please provide details. 


15. Data protection impact assessments 
YES/NO. 


If YES, then please provide details. 
16. Governance and accountability 


YES/NO. 


If YES, then please provide details. 


Q5. Do you think this standard gives rise to any unwarranted or 
unintended consequences? 


1. Best interests of the child 
Yes 
If YES, then please provide your reasons for this view. 


The broad requirement to have the bests interests of the child as a 
primary consideration in the design and development of online services 
likely to be access by a child and the associated incorporation in the 
guidance of provisions of the UNCRC is unprecedented and is likely to 
introduce legal uncertainty. The extension of an international convention 
into domestic law by way of rules under delegated powers is a material 
development and could be considered to go beyond the scope of the 
powers of the Information Cmmissioner under s.123 of the Data 
Protection Act 1998. 


In addition, the application of the Convention by the Commissioner itself 
requires a consideration of rights and interests of children, parents and 


persons across society. While the Convention is clear that the rights of 
the child are to be a primary consideration, there still needs to be an 
assessment of those rights as against the rights of adults, for example 
rights to freedom of expression and association under the European 
Convention on Human Rights and rights to freedom of arts and sciences 
and to conduct business under the EU Charter of Fundamental Rights. 
The rights of children under the Convention to freedom of expression, 
freedom of association and access to information should also have been 
considered, but there is little evidence that the Commissioner has fully 
assessed the balance of these rights of the child against the requirement 
to offer them protection from information and material injurious to their 
wellbeing. The impact of the expansive interpretation that the Code has 
applied to s. 123 of the DPA, the UNCRC, and the GDPR could cause 
fewer services to be available, to children or in the UK at all, because of 
the increased costs and risks to service providers, and the frictions to 
user experience that would have to be introduced, which would cause the 
rights of children to free expression and access to information to be 
undermined. This may also render the Code vulnerable to legal challenge. 


The duties listed on page 20 as the actions necessary to meet the 
standard under this heading have little connection with most information 
society services. Many parents would surely not consider that it is the 
responsibilty of web platforms or online retailers to protect and support 
the wellbeing and physical, psychological and emotional development of 
their children, for example. Compelling ISS providers to take an active 
interest in such matters is at odds with principles of the GDPR in respect 
of (inter alia) data minimisation and restrictions on profiling. The ICO's 
own research "Towards a better digital future - Informing the Age 
Appropriate Design Code" indicated that even among self-selecting 
particpants, views on this topic were inconsistent. This broad standard, 
with far reaching effects, could be considered to be disproprtionate and 
vulnerable to legal challenge. 


In line with UNCRC it must still be the primary role and responsibility of 
parents to safguard the interests of their children. The draft Code 
undermines this, and could lead to an expectatation or understanding on 
the part of parents that the Internet is a safe enivronment for children 
and parental supervision will not be required. This would be a dangerous 
situation that would both diminish relationships between parents and 
children and leave children more vulnerable to being exposed to harmful 
content and bad actors online. 


It is already known from the impact of the GDPR that ISS providers 
(especially smaller businesses) will exit markets when they consider that 
a regulatory regime increases their risk and cost so as to make provision 
of their services non-viable, and that this can also cause investment in 
technology start ups and development to decline. This would be a very 


serious unintended and unwarranted consequence of the Code and would 
impact on the interests that all children have in a dynamic and 
prosperous economy and a vibrant online environment throughout 
childhood and in their eventual adulthood. 


The comments in this section apply in general terms across all of the 
standards in the draft Code and are also relevant to Question 3. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide your reasons for this view. 


A requirement to assess what is appropriate for the interests, needs and 
evolving capacities of individual children seems likely to require collection 
of data and profiling of children in ways that could be inconsistent with 
the principle of data minimisation and restrictions on profiling in the 
GDPR. 


The Code recommends providing "a child appropriate service to all users 
by default with the option of age verification mechanisms to opt out of 
the protections in this code". However the requirements for child 
appropriate services (including the increased risk involved in collecting 
and holding the personal data necessary to tailor services to each child) 
are likely to have serious unwarranted consquences. They will encourage 
ISS providers to make their services adult only which will disadvantage 
children by removing their access to content and services, and 
disadvantage adults by requiring collection of more of their personal data 
to carry out age verification and introducing frictions to their use of online 
services. There will also be serious adverse consequence for competition 
in online services as the risks and costs of tailoring services, running 
multiple bespoke offerings to different age groups and carrying out age 
verification (and sustaining the loss of traffic that will likely follow) will 
mean that smaller operators will be forced out of the market or deterred 
from starting up. 


3. Transparency 
YES/NO. 


If YES, then please provide your reasons for this view. 
4. Detrimental use of data 


Yes 


If YES, then please provide your reasons for this view. 


The overlaying of a duty not to "use children's personal data in ways that 
have been shown to be detrimental their wellbeing" introduces legal 
uncertainty and could influence the interpretation of the GDPR more 
widely. In particular the invocation of Recital 2 and the reference to 
the "wellbeing of natural persons" as meaning that: 


"you should not process children's personal data on ways that are 
obviously or have been shown to be derimental to their health or 
wellbeing. To do so would not be fair" 


seems likely to suggest that this standard could be applied to processing 
of personal data more generally. 


The reference to the recommendation of the UK Chief Medical Officers 
that technology companies "recognise a precautionary approach in 
developing structures and remove addictive capabilities" even while 
acknowledging the lack of evidence to support the proposition that 
current practices are harmful indicates that ISS providers will be 
disincentivised from using data in ways that are legal and have no proven 
ill effects. Combined with other standards in the Code that will require all 
personal data (not just that of children) to be protected to this level, this 
seems likely to cause a reduction in innovation and in the quality of 
services made available to both adults and children. 


5. Policies and community standards 
Yes 


If YES, then please provide your reasons for this view. 


The requirement to uphold published terms, policies and community 
standards means that the ICO will effectively be enforcing policies and 
standards that are intended to be non-binding. This will risk both a 
reduction in standards that ISS providers are prepared to commit to in 
their operating documentation, and compromising the necessary 
discretion that providers need to have in operating their services where 
there is a plurality ofi interests, both of the ISS provider itself and as 
between its users. 


6. Default settings 
YES/NO. 


If YES, then please provide your reasons for this view. 
7. Data minimisation 
Yes 


If YES, then please provide your reasons for this view. 


As noted above the data minimisation principles in the Code and in the 
GDPR are, at best, in tension with the requirement to ensure that 
services meet the needs of a child that may access them at each stage of 
their development. In order to avoid infringing the requirements of data 
minimsation, and associated provisions of the GDPR that apply to the use 
of data once collected, it seems more likely that providers will seek to 
block access to their services by children by operating age verification, 
whch will disadvantage adults, children and the UK's wider society and 
economy. 


8. Data sharing 
Yes 


If YES, then please provide your reasons for this view. 


The strict requirements on sharing the personal data of children will mean 
that, unless age verification is introduced to prevent children accessing a 
service at all, ISS providers will have to elect to either collect age data on 
all of their users to identify which personal data can be shared, or cease 
all sharing of personal data. Sharing of personal data is not prohibited by 
the GDPR, and in many instances it is beneficial to data subjects as using 
third party services enables ISS providers to offer better, more innovative 
and more secure services to their users. 


9. Geolocation 
YES/NO. 


If YES, then please provide your reasons for this view. 
10. Parental controls 
YES/NO. 


If YES, then please provide your reasons for this view. 
11. Profiling 
Yes 


If YES, then please provide your reasons for this view. 


Please see related responses above. The risk to ISS providers of being 
found to be in violation of the Code and the GDPR by reason of profiling 
suggests that they will be reluctant to undertake the tailoring to children 
and age verfication required elsewhere in the Code (in case this is found 
not to be a "compelling reason" for profiling), which will result in more 
limited services, from fewer operators being available to adults and 
children. 


The negative view taken of recommending content (the loaded term 
"feeding content" is used) is also in tension with the requirements 
elsewhere to tailor offerings to children to suport their development and 


wellbeing, and will further disincentivise providers from allowing children 
to access their services at all. At best it will mean only static content will 
be available to children. 


12. Nudge techniques 
YES/NO. 


If YES, then please provide your reasons for this view. 
13. Connected toys and devices 
YES/NO. 


If YES, then please provide your reasons for this view. 
14. Online tools 
YES/NO. 


If YES, then please provide your reasons for this view. 
15. Data protection impact assessments 
YES/NO. 


If YES, then please provide your reasons for this view. 
16. Governance and accountability 


YES/NO. 


If YES, then please provide your reasons for this view. 


Q6. Do you envisage any feasibility challenges to online services 
delivering this standard? 


1. Best interests of the child 


YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

3. Transparency 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 
4. Detrimental use of data 


YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


5. Policies and community standards 
YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

6. Default settings 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

7. Data minimisation 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

8. Data sharing 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

9. Geolocation 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

10. Parental controls 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


11. Profiling 
YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

12. Nudge techniques 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

13. Connected toys and devices 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

14. Online tools 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

15. Data protection impact assessments 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 
16. Governance and accountability 


YES/NO. 
If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


Q7. Do you think this standard requires a transition period of any longer 
than 3 months after the code come into force? 


1. Best interests of the child 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

3. Transparency 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

4. Detrimental use of data 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


5. Policies and community standards 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

6. Default settings 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

7. Data minimisation 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

8. Data sharing 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


9. Geolocation 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

10. Parental controls 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

11. Profiling 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

12. Nudge techniques 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

13. Connected toys and devices 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

14. Online tools 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

15. Data protection impact assessments 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


16. Governance and accountability 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


Q8. Do you know of any online resources that you think could be usefully 
linked to from this section of the code? 


1. Best interests of the child 


YES/NO. 


If YES, then please provide details (including links). 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide details (including links). 
3. Transparency 
YES/NO. 


If YES, then please provide details (including links). 
4. Detrimental use of data 


YES/NO. 
If YES, then please provide details (including links). 


5. Policies and community standards 
YES/NO. 


If YES, then please provide details (including links). 
6. Default settings 
YES/NO. 


If YES, then please provide details (including links). 
7. Data minimisation 
YES/NO. 


If YES, then please provide details (including links). 
8. Data sharing 
YES/NO. 


If YES, then please provide details (including links). 
9. Geolocation 
YES/NO. 


If YES, then please provide details (including links). 
10. Parental controls 
YES/NO. 


If YES, then please provide details (including links). 
11. Profiling 
YES/NO. 


If YES, then please provide details (including links). 
12. Nudge techniques 
Yes 


If YES, then please provide details (including links). 
13. Connected toys and devices 


No 


If YES, then please provide details (including links). 
14. Online tools 
YES/NO. 


If YES, then please provide details (including links). 
15. Data protection impact assessments 
YES/NO. 


If YES, then please provide details (including links). 
16. Governance and accountability 


YES/NO. 


If YES, then please provide details (including links). 


Q9. Is the ‘Enforcement of this code’ section clearly communicated? 
YES/NO. 

If NO, then please provide your reasons for this view. 

Q10. Is the ‘Glossary’ section of the code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q11. Are there any key terms missing from the ‘Glossary’ section? 
YES/NO. 


If YES, then please provide your reasons for this view. 


Q12. Is the ‘Annex A: Age and developmental stages’ section of the 
code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q13. Is there any information you think needs to be changed in the 
‘Annex A: Age and developmental stages’ section of the code? 


YES/NO. 
If YES, then please provide your reasons for this view. 


Q14. Do you know of any online resources that you think could be 
usefully linked to from the ‘Annex A: Age and developmental 
stages’ section of the code? 


YES/NO. 
If YES, then please provide details (including links). 


Q15. Is the ‘Annex B: Lawful basis for processing’ section of the 
code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q16. Is this ‘Annex C: Data Protection Impact Assessments’ 
section of the code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q17. Do you think any issues raised by the code would benefit from 
further (post publication) work, research or innovation? 


YES/NO. 


If YES, then please provide details (including links). 


Section 2: About you 


Are you: 


A body representing the views or interests of children? 


Please specify: 


A body representing the views or interests of parents? 


Please specify: 


A child development expert? 


Please specify: 


An Academic? 


Please specify: 


An individual acting in another professional capacity? 


Please specify: 


A provider of an ISS likely to be accessed by children? 


Please specify: 


A trade association representing ISS providers? 


Please specify: 


An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the 
public or a parent)? 


An ICO employee? 


Other? 


Please specify: 


Thank you for responding to this consultation. 


We value your input. 


